Hello everyone, i''d like to set up shorewall as a bridging firewall. I''ve got a shorerwall management server and 2 shorewall lite servers. Version 4.24-1 The shorewalllite servers have 3 interfaces: Eth2 dmz Eth0 internet Eth1 loc I created a bridge and added interface eth0+eth1. I''d like to filter/restrict the traffic through the bridge. Now my question is: Do I need shorewall-perl for this? Where can I download shorewall-perl? I alrdy searched through some download mirrors on shorewall.net but didn''t find shorewall-perl... Can I filter through the bridge with shorewall + shorewall lite, too ? I already installed bridge-utils, etc. I only don''t know how to configure shorewall for bridiging firewall support. Can I use this tutorial, even I don''t use shorewall-perl? http://www.shorewall.net/bridge-Shorewall-perl.html If I start the command: "shorewall load firewall1" on my shorewall manage server. It starts compiling, but give me 2 errors: First in shorewall.conf: Bridging=YES is not supported in shorewall 4.x.x I googled this error and was linked to: http://www.shorewall.net/bridge-Shorewall-perl.html That''s why I ask you: do I need shorewall-perl for bridiging firewall support and where can I dpownload it? As I commented the Bridging=yes out I received another error in "hosts" ERROR: invalid IP Address (eth0) at line 132 That''s the line: net br0:eth0 I''d really appreciate any given support ! Best Regards Alex ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
On Nov 14, 2011, at 10:40 PM, <Alexander.Eck@Heidelberg.de> <Alexander.Eck@Heidelberg.de> wrote:> > i’d like to set up shorewall as a bridging firewall. I’ve got a shorerwall management server and 2 shorewall lite servers. Version 4.24-1Presumably, you mean 4.4.24-1?> The shorewalllite servers have 3 interfaces: > Eth2 dmz > Eth0 internet > Eth1 loc > > I created a bridge and added interface eth0+eth1. > > I’d like to filter/restrict the traffic through the bridge. > Now my question is: > > Do I need shorewall-perl for this? Where can I download shorewall-perl? I alrdy searched through some download mirrors on shorewall.net but didn’t find shorewall-perl…>From http://www.shorewall.net/FAQ.htm(FAQ 14) I can''t find the Shorewall 4.4 shorewall-common, shorewall-shell and shorewall-perl packages? Where are they? Answer:In Shorewall 4.4, the shorewall-shell package was discontinued. The shorewall-common and shorewall-perl packages were combined to form a single shorewall package.> > Can I filter through the bridge with shorewall + shorewall lite, too ?Yes.> > I already installed bridge-utils, etc. I only don’t know how to configure shorewall for bridiging firewall support. > Can I use this tutorial, even I don’t use shorewall-perl? http://www.shorewall.net/bridge-Shorewall-perl.htmlIf you have Shorewall 4.4.24, then you have Shorewall-perl as mentioned above.> > If I start the command: “shorewall load firewall1” on my shorewall manage server. It starts compiling, but give me 2 errors: > First in shorewall.conf: > Bridging=YES is not supported in shorewall 4.x.x > I googled this error and was linked to: http://www.shorewall.net/bridge-Shorewall-perl.htmlWhich is the correct HOWTO.> > That’s why I ask you: do I need shorewall-perl for bridiging firewall support and where can I dpownload it? > > As I commented the Bridging=yes out I received another error in “hosts” > ERROR: invalid IP Address (eth0) at line 132 > > That’s the line: > net br0:eth0 > > I’d really appreciate any given support !Simply follow the instructions at http://www.shorewall.net/bridge-Shorewall-perl.html. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
<Alexander.Eck@Heidelberg.de>
2011-Nov-15 14:29 UTC
Re: shorewall bridging firewall set up
Hi Tom, thanks for your reply. Yes i Meant 4.4.24. I got a bit confused with shorewall and shorewall-perl but i guess i now get it. But I''m actually getting another error: I''m running Centos 5.7 with iptables 1.3.5 And while compiling on the management system with the command: Shorewall load firewallDNSname I receive the error: ERROR: Your iptables is not recent enough to support bridge ports : /opt/shwallexport/fw01/interface (line 233) So I tried the same setup with Centos 6 with iptables 1.4.7 And I receive the same error. I Configured like mentioned here: http://www.shorewall.net/bridge-Shorewall-perl.html. You''ve got any idea on that issue ? Best Regards Alex -----Ursprüngliche Nachricht----- Von: Tom Eastep [mailto:teastep@shorewall.net] Gesendet: Dienstag, 15. November 2011 15:08 An: Shorewall Users Betreff: Re: [Shorewall-users] shorewall bridging firewall set up On Nov 14, 2011, at 10:40 PM, <Alexander.Eck@Heidelberg.de> <Alexander.Eck@Heidelberg.de> wrote:> > i''d like to set up shorewall as a bridging firewall. I''ve got a > shorerwall management server and 2 shorewall lite servers. Version > 4.24-1Presumably, you mean 4.4.24-1?> The shorewalllite servers have 3 interfaces: > Eth2 dmz > Eth0 internet > Eth1 loc > > I created a bridge and added interface eth0+eth1. > > I''d like to filter/restrict the traffic through the bridge. > Now my question is: > > Do I need shorewall-perl for this? Where can I download > shorewall-perl? I alrdy searched through some download mirrors on > shorewall.net but didn''t find shorewall-perl.>From http://www.shorewall.net/FAQ.htm(FAQ 14) I can''t find the Shorewall 4.4 shorewall-common, shorewall-shell and shorewall-perl packages? Where are they? Answer:In Shorewall 4.4, the shorewall-shell package was discontinued. The shorewall-common and shorewall-perl packages were combined to form a single shorewall package.> > Can I filter through the bridge with shorewall + shorewall lite, too ?Yes.> > I already installed bridge-utils, etc. I only don''t know how to configure shorewall for bridiging firewall support. > Can I use this tutorial, even I don''t use shorewall-perl? > http://www.shorewall.net/bridge-Shorewall-perl.htmlIf you have Shorewall 4.4.24, then you have Shorewall-perl as mentioned above.> > If I start the command: "shorewall load firewall1" on my shorewall manage server. It starts compiling, but give me 2 errors: > First in shorewall.conf: > Bridging=YES is not supported in shorewall 4.x.x I googled this error > and was linked to: > http://www.shorewall.net/bridge-Shorewall-perl.htmlWhich is the correct HOWTO.> > That''s why I ask you: do I need shorewall-perl for bridiging firewall support and where can I dpownload it? > > As I commented the Bridging=yes out I received another error in "hosts" > ERROR: invalid IP Address (eth0) at line 132 > > That''s the line: > net br0:eth0 > > I''d really appreciate any given support !Simply follow the instructions at http://www.shorewall.net/bridge-Shorewall-perl.html. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
On Tue, 2011-11-15 at 14:29 +0000, Alexander.Eck@Heidelberg.de wrote:> But I''m actually getting another error: > > I''m running Centos 5.7 with iptables 1.3.5 > And while compiling on the management system with the command: > Shorewall load firewallDNSnameI really recommend running ''shorewall check .'' until you get the configuration clean.> > I receive the error: > ERROR: Your iptables is not recent enough to support bridge ports : /opt/shwallexport/fw01/interface (line 233)You generate the capabilities file on the *firewall* system, and it is that system''s iptables that is missing the "Repeat match" capability. In the capabilities file, it is listed as KLUDGEFREE. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
<Alexander.Eck@Heidelberg.de>
2011-Nov-15 15:12 UTC
Re: shorewall bridging firewall set up
Thanks Tom, after copying the correct capabilities file everything works just fine! Greetings Alex -----Ursprüngliche Nachricht----- Von: Tom Eastep [mailto:teastep@shorewall.net] Gesendet: Dienstag, 15. November 2011 15:44 An: Shorewall Users Betreff: Re: [Shorewall-users] shorewall bridging firewall set up On Tue, 2011-11-15 at 14:29 +0000, Alexander.Eck@Heidelberg.de wrote:> But I'm actually getting another error: > > I'm running Centos 5.7 with iptables 1.3.5 And while compiling on the > management system with the command: > Shorewall load firewallDNSnameI really recommend running 'shorewall check .' until you get the configuration clean.> > I receive the error: > ERROR: Your iptables is not recent enough to support bridge ports : > /opt/shwallexport/fw01/interface (line 233)You generate the capabilities file on the *firewall* system, and it is that system's iptables that is missing the "Repeat match" capability. In the capabilities file, it is listed as KLUDGEFREE. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
<Alexander.Eck@Heidelberg.de>
2011-Nov-16 09:23 UTC
Re: shorewall bridging firewall set up
Hi Tom and everyone, After creating the capabilities file (KLUDGEFREE=yes)Compiling shorewall now works fine, but my two shorewall-lite servers seem to just ignore all rules and the policys. Setup as follows: Br0 with interface eth0(net) and eth1(loc) Eth2 (dmz) Br0 has no IP Entries in file interfaces. #ZONE INTERFACE BROADCAST OPTIONS pub br0 - bridge net br0:eth0 loc br0:eth1 dmz eth2 detect Entries in file: zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall pub ipv4 net:pub bport4 loc:pub bport4 dmz ipv4 Some entries from file rules: ACCEPT dmz fw udp 161 ACCEPT dmz fw tcp 1311 ACCEPT net loc udp 8116 ACCEPT net loc tcp 80,443,8080 ACCEPT net loc ESP I connected a laptop on port eth0 (net) and another laptop on port eth1 . I tried to connect to some ports from net to loc that should get dropped, but they get accepted. I already took a look on the shorewall-lite servers in the log files with "shorewall show log. The only content I receive is: Shorewall Lite 4.4.24.1 Log (/var/log/messages) at shwall01 - Mi 16. Nov 09:58:00 CET 2011 Counters reset Mi 16. Nov 09:46:03 CET 2011 Any idea on this ? Best Regards Alex -----Ursprüngliche Nachricht----- Von: Alexander.Eck@Heidelberg.de [mailto:Alexander.Eck@Heidelberg.de] Gesendet: Dienstag, 15. November 2011 16:12 An: shorewall-users@lists.sourceforge.net Betreff: Re: [Shorewall-users] shorewall bridging firewall set up Thanks Tom, after copying the correct capabilities file everything works just fine! Greetings Alex -----Ursprüngliche Nachricht----- Von: Tom Eastep [mailto:teastep@shorewall.net] Gesendet: Dienstag, 15. November 2011 15:44 An: Shorewall Users Betreff: Re: [Shorewall-users] shorewall bridging firewall set up On Tue, 2011-11-15 at 14:29 +0000, Alexander.Eck@Heidelberg.de wrote:> But I'm actually getting another error: > > I'm running Centos 5.7 with iptables 1.3.5 And while compiling on the > management system with the command: > Shorewall load firewallDNSnameI really recommend running 'shorewall check .' until you get the configuration clean.> > I receive the error: > ERROR: Your iptables is not recent enough to support bridge ports : > /opt/shwallexport/fw01/interface (line 233)You generate the capabilities file on the *firewall* system, and it is that system's iptables that is missing the "Repeat match" capability. In the capabilities file, it is listed as KLUDGEFREE. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On Wed, 2011-11-16 at 09:23 +0000, Alexander.Eck@Heidelberg.de wrote:> > I connected a laptop on port eth0 (net) and another laptop on port eth1 . I tried to connect to some ports from net to loc that should get dropped, but they get accepted. > > I already took a look on the shorewall-lite servers in the log files with "shorewall show log. > The only content I receive is: > > Shorewall Lite 4.4.24.1 Log (/var/log/messages) at shwall01 - Mi 16. Nov 09:58:00 CET 2011 > > Counters reset Mi 16. Nov 09:46:03 CET 2011 > > > Any idea on this ?Please forward the output of ''shorewall-lite dump'' collected on the firewall. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1